[Dnssec-trigger] [PATCH] NetworkManager hook should add unbound forward zones for VPN connections

Tomas Hozza thozza at redhat.com
Tue Jul 2 13:16:07 UTC 2013


Hello.

As you maybe know, in Fedora we have DNSSEC on workstations feature
since Fedora 18. It used unbound and dnssec-trigger to take care of
DNSSEC validation and resolv.conf configuration. I know there is much
more that dnssec-trigger does in addition (detect Hotspot, etc.).

Recently I discovered that dnssec-trigger works really good until you
try to use it with a VPN to some corporate network, which provides
its own DNS servers together with internal domain(s).

Currently dnssec-trigger provides a NM dispatcher script that adds
DHCP obtained DNS servers into dnssec-triggerd. But when it comes
to VPN connections, dnssec-trigger relies completely on VPN clients
to configure unbound and add forwarding zones if obtained from VPN.
This causes dnssec-trigger together with unbound not to work out of
the box when used with VPNs (which is really common use case).

I think the dispatcher script should be modified to handle also VPN
provided domains and configure unbound if needed, rather than rely on
third parties scripts to do it. I know there are some issues in NM
and dispatcher preventing this to be done.

BUT one needed change to NetworkManager have been already merged into
upstream [1] and one more [2] is still pending, but I expect it to
get into upstream, too. If not, I'm ready to solve this issue other way.

I'm sending you also my proposed changes to the dispatcher script. It
is based on script version in repository trunk. It also expects both
NM proposed changes [1, 2] to be merged into NM upstream.

Thank you.

Regards,

Tomas Hozza

[1] https://bugzilla.gnome.org/show_bug.cgi?id=701820
[2] https://bugzilla.gnome.org/show_bug.cgi?id=703395
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-NM-hook-configure-unbound-in-case-of-vpn-up-down.patch
Type: text/x-patch
Size: 4016 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20130702/ce92e166/attachment.bin>


More information about the dnssec-trigger mailing list